aba pdi seminar, may 2008
TRANSCRIPT
![Page 1: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/1.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 1/18
The American Bar Association
Section of Science & Technology Law and the
ABA Center for Continuing Legal Education
Present
The Legal Implications and Risks of the Payment Card
Industry (PCI) Data Security Standard
![Page 2: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/2.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 2/18
American Bar Association
Center for Continuing Legal Education
321 North Clark Street, Suite 1900
Chicago, IL 60610-4714
www.abanet.org/cle
800.285.2221, select option 2
CDs, DVDs, ONLINE COURSES, PODCASTS, and COURSE MATERIALS
ABA-CLE self-study products are offered in a variety of formats. To take advantage of our full
range of options, visit the ABA Web Store at www.abaclecatalog.org.
The materials contained herein represent the opinions of the authors and editors and should not be
construed to be the action of the American Bar Association, Section of Science & Technology Law or the
Center for Continuing Legal Education unless adopted pursuant to the bylaws of the Association.
Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, and
readers are responsible for obtaining such advice from their own legal counsel. This book and any forms
and agreements herein are intended for educational and informational purposes only.
© 2008 American Bar Association. All rights reserved.
This publication accompanies the audio program entitled “The Legal Implications and Risks of the
Payment Card Industry (PCI) Data Security Standard” broadcast on April 29, 2008 (Event code:
CET8LIP).
![Page 3: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/3.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 3/18
Discuss This Course Online
Visit http:/www.abanet.org/cle/discuss to access the discussion board for this program.
Discussion boards are organized by the date of the original program,
which you can locate on the preceding page of these materials.
![Page 4: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/4.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 4/18
The Legal Implications and Risks ofthe Payment Card Industry Data
Security Standard
2
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Our Panelists
David Navetta, Esq., InfoSecCompliance, LLC,
Arshad Noor, StrongAuth, Inc. [email protected]
Alex Pezold, FishNet Security, [email protected]
![Page 5: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/5.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 5/18
3
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Roadmap
PCI Background
Hannaford Factual Summary
PCI Interpretative Variances
Legal Implications of PCI
Risk Mitigation Efforts
4
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
What is PCI?
Security standard for the protection of payment card data
(any card with a payment card brand logo – credit/debit)
Not a law – industry self regulation
Arose out of individual security programs developed by
payment card brands (e.g. VISA CISP, MasterCard SDP,
AMEX DSOP, Discover DISC)
Compliance: 1 PCI Standard; 5 payment card brand
security programs
![Page 6: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/6.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 6/18
5
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Maintain a policy that addresses information security12.
Maintain and Information Security Policy
Regularly test security systems and processes11.
Track and monitor all access to network resources and cardholder data10.
Regularly Monitor and Test Networks
Restrict physical access to cardholder data9.
Assign a unique ID to each person with computer access8.
Restrict access to cardholder data by the business need-to-know7.
Implement Strong Access Control Measures
Develop and maintain secure systems and applications6.
Use and regularly update anti-virus software or programs5.
Maintain a Vulnerability Management Program
Encrypt transmission of cardholder data across open, public networks4.
Protect stored cardholder data3.
Protect Cardholder Data
Do not use vendor-supplied defaults for system passwords and other security parameters2.
Install and maintain a firewall1.
Build and Maintain a Secure Network
6
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Standard v. Payment Card Security Programs
PCI – minimum security controls, policies and procedures
vs.
Security Programs -- procedural in nature
merchant level definitions, procedures, deadlines anddocumentation for validating PCI compliance, documentation
requirements for security assessment, security incidentresponse requirements and fines and penalties
![Page 7: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/7.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 7/18
7
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Standard v. Payment Card Security Programs
VISA CISP MasterCard SDP
PCI Standard
Discovery DISC AMEX DSOP
8
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Framework and Procedures
PCI Council: www.pcisecuritystandards.org/
Qualified Security Assessors and Approved Scanning
Vendors
Assessment and scanning processes and requirements –
Independent Assessment v. Self Assessment
Questionnaire
![Page 8: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/8.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 8/18
9
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Merchant Levels
Any merchant processing fewer than 20,000 VISA or MasterCard e-commerce transaction per year.
Level 4
Any merchant processing 20,000 to 1 million VISA or MasterCard e-commerce transactions per year.
Level 3
Any merchant processing 1 to 6 million VISA or MasterCardtransactions per year.
Level 2
Any merchant processing over 6 million VISA or MasterCardtransactions per year, or identified by any other payment card brand asLevel 1.
Level 1
10
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Assessment Actions
Qualified Independent Scan Vendor Network Scan Recommended
Merchant
Optional support from qualified vendor
Annual Self-Assessment Questionnaire
Recommended
4
Qualified Independent Scan Vendor Quarterly Network Scan
Merchant
Optional support from qualified vendor
Annual Self-Assessment Questionnaire
- AND -2 & 3
Qualified Independent Scan Vendor Quarterly Network Scan
Independent Assessor or Internal Audit if signed
by Officer of the Company
Annual On-Site Security Assessment
- AND -
1
Validated ByAssessment ActionsLevel
![Page 9: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/9.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 9/18
11
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Validation Dates
All Level 2 merchants identified in 200712/31/08
All Level 1 merchants identified in 2007. Up to one year from
identification.
9/30/08
All Level 2 merchants identified from 2004-200612/31/07
All Level 1 merchants identified from 2004-20069/30/07
Applies toDate
12
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Other Procedural Aspects
Fines and Penalties
Incident Response Requirements
Post-incident forensic audit
![Page 10: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/10.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 10/18
13
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Contract Chain
Payment Card Company (e.g. VISA, MasterCard, Discover, AMEX )
Merchant (e.g. any company that accepts payment cards for transactions)
Payment Processing Org. (e.g. PaymentTech, First Data)
Merchant Bank (e.g. Chase, Citibank, 5th Third Bank, credit unions)
Service Provider (e.g. any company that processes, transmits or stores payment card data)
14
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Contract Chain
Scope of PCI Obligations dictated contractually
No Direct Contractual Relationship between Merchants and Payment Card
Companies.
No Direct Duty for Service Providers to Comply with PCI or Security Programs
PCI Section 12.8 -- A Merchant’s Compliance with PCI is Directly Contingent on
Contractual Obligations Imposed on its Service Providers
Matching Upstream and Downstream Obligations and Risk.
Special problem: existing service provider relationships and PCI Compliance
![Page 11: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/11.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 11/18
15
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Hannaford Brothers Grocery Breach 4.2 million cards; 1800 identity theft incidents; 21 Consumer class actions filed in Federal
Courts in 3 States
Servers in 300 stores across 3 states compromised at Point of Sale terminal – appears that
the data was not encrypted on internal networks or prior to transmitting for processing
December 7, 2007-- Data breach first began on – privacy policy stated PCI Compliant at the
time
February 27, 2008 -- Hannaford became aware of the breach
February 27, 2008 -- Hannaford recertified as PCI Compliant
March 10, 2008 -- Breach contained
March 17, 2008 -- Reported by Hannaford
Hannaford undergoing post-incident forensic audit
April 22. 2008 – Hannaford reports plans to spend millions on security, includingencryption of all card numbers during the entire time they are within the supermarket
chain's data network and intrusion detection
16
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Interpretative Variances
Section 3.4 – encryption of Primary Account Number while stored
Section 4.1 – encryption of sensitive cardholder data in transit
Open, public networks
“networks that are easy and common for a hacker to intercept, modify,and divert data while in transit
Other potentially problematic sections
![Page 12: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/12.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 12/18
17
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Interpretative Variances
Section 3.2 – do not store sensitive authentication data
after authorization (even if encrypted)
Section 12.8 – service provider contractual obligation for
PCI compliance
“Compensating controls”
18
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI Legal Link
Negligence – PCI as standard of care
TJX – Expert
TJX – Post-incident audit
Plastic Card Protection Laws
Minnesota Plastic Card Protection Law – PCI Section 3.2
Other states that have considered/are considering reimbursement
laws: Massachusetts, Illinois, Connecticut, Texas, Minnesota,California, Michigan, Alabama, Iowa and Washington
![Page 13: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/13.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 13/18
19
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Security Viewpoint v. Legal Viewpoint
“Loose-est” Interpretation -- Non-compliant
Strict Interpretation (“to the letter”)
Looser; not strictest, but “reasonable interpretations”
Looser – “unreasonable”
20
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Resolving Ambiguities
Multiple Sources of Interpretation
Unclear Binding Effect
Unclear Authoritative Weight of Interpretations
![Page 14: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/14.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 14/18
21
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Potentially Legally Risky Practices
QSA shopping
Rubber-stamping
Scoping Problems -- providing the full picture (where is the data?,
where is it being processed?)
SAQ -- check-box mentality (SAQ v. 1.0 does not map to 1.1
Standard; SAQ 1.1 – short versions; compliance with the
Standard)
22
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Other Legal Risks
Reasonable security v. PCI Compliance
T.J. Hooper?
"Indeed in most cases reasonable prudence is in fact common prudence,
but strictly it is never its measure. A whole calling may have unduly
lagged in the adoption of new and available devices. . . . Courts must in
the end say what is required. There are precautions so imperative that
even their universal disregard will not excuse their omission ."
-- Judge Learned Hand
![Page 15: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/15.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 15/18
23
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
PCI & False Sense of Security
PCI certification = point in time
Having policies and procedures to follow PCI v. actually implementing
How were ambiguities resolved? (e.g. PCI Council, payment card brand,
acquiring bank, business considerations, e-mails, etc.)
How was the process approached? (e.g. QSA shopping, rubber stamping,
check box mentality, proper personnel, etc.)
Existence/Scope of “Safe Harbor”?
24
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Process-Oriented Adverse Admissions
Bad documentation/assessments during
assessment process
Future promises of PCI compliance (by merchant
or service providers)
Post-incident forensic assessments
![Page 16: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/16.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 16/18
25
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Section 12.8 “Interpretative Variances”
12.8 If cardholder data is shared with service providers, then
contractually the following is required:
12.8.1 Service providers must adhere to the PCI DSS
requirements
12.8.2 Agreement that includes an acknowledgment that the
service provider is responsible for the security of cardholderdata the provider possesses
26
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Section 12.8 “Interpretative Variances”
Narrow interpretation: contract language indicates that service provider must adhere to
the PCI Standard, which means that the minute the contract is effective the service provider
must be PCI-compliant and the merchant should confirm such compliance;
Middle-ground interpretation: contract language indicates that service provider agrees
that it must adhere to the PCI Standard, but the merchant does not need to confirm such
compliance, but rather can trust the service provider’s contractual representation that it is
compliant and responsible for cardholder data; and
Loose interpretation: contract language indicates that the service provider agrees that it
must adhere to the PCI Standard, but the merchant has discovered that the service provider
has some controls that need to be implemented to achieve full PCI compliance and
imposes a deadline after the effective date of the contract to achieve such compliance inthe future. Under this interpretation a merchant complies with 12.8.1 as long as the service
provider contractually promises to adhere to the PCI Standard during the contract term by a
certain reasonable date, even if not compliant at the inception of the contract.
![Page 17: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/17.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 17/18
27
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Hannaford (Complete and Utter) Speculation
PCI Compliant and reasonably secure
PCI Compliant, but not reasonable security (PCI Standard itself is weak)
QSA or Hannaford misinterpreted PCI / ambiguity (or relied on a bad interpretation
provided by a different PCI Stakeholder)
Hannaford did not supply QSA with full information
Hannaford changed – PCI Compliant at point in time (Feb. 2007)
Hannaford did not follow its PCI policies and procedures after PCI compliance
assessed
28
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
What to do?
From a security standpoint….
Reasonable security is the goal
Segregate remediation and assessment.
Err on the side of caution for interpretations (stricter; to theword)
Choose QSAs wisely
Draw your general counsel into the process at the beginning
![Page 18: ABA PDI Seminar, May 2008](https://reader031.vdocuments.mx/reader031/viewer/2022021323/577dae401a28ab223f9032ba/html5/thumbnails/18.jpg)
8/14/2019 ABA PDI Seminar, May 2008
http://slidepdf.com/reader/full/aba-pdi-seminar-may-2008 18/18
29
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
What to do?
From a legal standpoint?
Contractually
Assess Upstream; Impose DownstreamDevelop a service provider contracting strategy (current and future
vendors) Incorporate “waivers” into the contract
Liability Mitigation
Reach out to the security team and get involved at the start (A.C.T.awareness, communication, translation)
Use attorney-client privilege (e.g. remediation work)Adverse admissions – look out for the creation of a paper trail (e.g.
audits, letters to merchant banks, etc.)Strict compliance (and if not, anticipate lit igation issues)Get it in writing and have it confirmed by relevant stakeholders
30
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
Questions?
David Navetta, Esq., InfoSecCompliance, LLC,
Arshad Noor, StrongAuth, Inc.
Alex Pezold, FishNet Security,[email protected]